IMHO Between the two It should be the effectiveness of the controls.
But the problem is not what you measure but how you measure...
Also should we get into measuring effectiveness of the controls or is it the
overall security context that we should be concerned.. since 270001 is an
ISMS??
Regards
Samir Pawaskar
----- Original Message -----
From: "stanley perreira" <1979stanley (at) gmail (dot) com [email concealed]>
To: <bs7799 (at) securityfocus (dot) com [email concealed]>
Sent: Tuesday, July 18, 2006 6:18 PM
Subject: Metrics in ISO 27001
> Hello,
>
> I am trying to develop metrics for the ISO 27001. There doesnot seem
> to be much of consensus on how to go about it ?
>
> What are we supposed to measure here - is it the effectiveness of the
> controls or how many controls are being followed ?
>
But the problem is not what you measure but how you measure...
Also should we get into measuring effectiveness of the controls or is it the
overall security context that we should be concerned.. since 270001 is an
ISMS??
Regards
Samir Pawaskar
----- Original Message -----
From: "stanley perreira" <1979stanley (at) gmail (dot) com [email concealed]>
To: <bs7799 (at) securityfocus (dot) com [email concealed]>
Sent: Tuesday, July 18, 2006 6:18 PM
Subject: Metrics in ISO 27001
> Hello,
>
> I am trying to develop metrics for the ISO 27001. There doesnot seem
> to be much of consensus on how to go about it ?
>
> What are we supposed to measure here - is it the effectiveness of the
> controls or how many controls are being followed ?
>
[ reply ]